Flipped Classroom Lecture 20/9 [RG]: Malware

Content

Basic concepts and terminology related to malware. Propagation techniques: worms, virus, and trojan horses. Payloads: ransomware, zombie. Countermeasures. The case of Stuxnet.

The live lecture will consist of two parts. In the first part you will be divided in groups and you will discuss few questions (from previous exams) related to malware. At the end of the first part someone can present solutions and we will discuss about motivations. In the second part we will answer questions regarding malware.

Please, watch the videos and try to solve the previous-exam exercise before the live lecture.

Previous exam questions (true/false)

1. To identify if a program contains a virus, it is sufficient to check for the presence of a fixed binary fragment in the program code.
2. To identify malware, untrusted software can be executed in a controlled environment that monitors the software’s behavior.
3. A botnet is a network of compromised computers that are controlled by an attacker.
4. An encrypting malware is a malware that uses encryption to make the binary of each infection unique.
5. If a ransomware uses asymmetric encryption, then it is possible to recover the encrypted files by extracting the encryption key from the malware memory while the malware is running.
6. A secure mechanism to detect malware is to execute unknown applications on your own computer and periodically inspect the application binary.

Lab Exercise

Malware

Reading

• Chapter 10 in Gollmann (2011).
• Chapter 21.3 Trojans, Viruses, Worms and Rootkits in Anderson (2008).

Other resources

• Paper on malware detection Links to an external site.

Slides

Malware Download Malware

Videos

Malware: introduction

Propagation methods:

• Worms
• Worm case study: Mirai
• Trojan
• Virus
• Macro Virus

Payloads:

• Ransomware
• Bots and logic bobs

Other techniques

• Rootkits
• Domain Resolution

Countermeasures

Case study: cyberwar and Stuxnet